<!DOCTYPE html>
<html lang="en" country="us">
<head>

<style>.async-hide {
            opacity: 0 !important
        } </style>
<script data-cfasync="false">if (!window.location.hostname.match(/marketodesigner/i)) {
            (function (a, s, y, n, c, h, i, d, e) {
                s.className += ' ' + y;
                h.start = 1 * new Date;
                h.end = i = function () {
                    s.className = s.className.replace(RegExp(' ?' + y), '')
                };
                (a[n] = a[n] || []).hide = h;
                setTimeout(function () {
                    i();
                    h.end = null
                }, c);
                h.timeout = c;
            })(window, document.documentElement, 'async-hide', 'dataLayer', 1900,
                {'GTM-N8HXDD2': true})
        }</script>
<script data-cfasync="false" async src="https://www.googleoptimize.com/optimize.js?id=GTM-N8HXDD2" onerror="dataLayer.hide.end && dataLayer.hide.end()"></script>

<script data-cfasync="false">(function (w, d, s, l, i) {
            w[l] = w[l] || [];
            w[l].push({
                'gtm.start':
                    new Date().getTime(), event: 'gtm.js'
            });
            var f = d.getElementsByTagName(s)[0],
                j = d.createElement(s), dl = l != 'dataLayer' ? '&l=' + l : '';
            j.async = true;
            j.src =
                'https://www.googletagmanager.com/gtm.js?id=' + i + dl;
            f.parentNode.insertBefore(j, f);
        })(window, document, 'script', 'dataLayer', 'GTM-5V5LPNC');</script>

<script src="https://cdn.cookielaw.org/scripttemplates/otSDKStub.js" data-document-language="true" type="ed96c40778f29c2367427de9-text/javascript" charset="UTF-8" data-domain-script=bee15b7c-b632-450e-9003-9c8b60b3b978></script>
<script type="ed96c40778f29c2367427de9-text/javascript">
    function OptanonWrapper() { }
</script>
<meta charset="UTF-8">
<meta name="HandheldFriendly" content="True">
<meta name="MobileOptimized" content="320">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="apple-mobile-web-app-capable" content="yes">
<meta http-equiv="cleartype" content="on">
<meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' />

<title>LemonDuck Botnet Targets Docker for Cryptomining Operations | CrowdStrike</title>
<meta name="description" content="The CrowdStrike Cloud Threat Research team recently detected the LemonDuck botnet actively targeting Docker to mine cryptocurrency on the Linux platform." />
<link rel="canonical" href="https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/" />
<meta property="og:locale" content="en_US" />
<meta property="og:type" content="article" />
<meta property="og:title" content="LemonDuck Botnet Targets Docker for Cryptomining Operations | CrowdStrike" />
<meta property="og:description" content="The CrowdStrike Cloud Threat Research team recently detected the LemonDuck botnet actively targeting Docker to mine cryptocurrency on the Linux platform." />
<meta property="og:url" content="https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/" />
<meta property="og:site_name" content="crowdstrike.com" />
<meta property="article:publisher" content="https://www.facebook.com/CrowdStrike/" />
<meta property="article:published_time" content="2022-04-21T08:23:55+00:00" />
<meta property="article:modified_time" content="2022-04-21T12:37:55+00:00" />
<meta property="og:image" content="https://www.crowdstrike.com/wp-content/uploads/2022/04/Blog_1060x698-11.jpeg" />
<meta property="og:image:width" content="1060" />
<meta property="og:image:height" content="698" />
<meta property="og:image:type" content="image/jpeg" />
<meta name="twitter:card" content="summary_large_image" />
<meta name="twitter:creator" content="@CrowdStrike" />
<meta name="twitter:site" content="@CrowdStrike" />
<meta name="twitter:label1" content="Written by" />
<meta name="twitter:data1" content="Manoj Ahuje" />
<meta name="twitter:label2" content="Est. reading time" />
<meta name="twitter:data2" content="7 minutes" />
<script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"https://www.crowdstrike.com/#website","url":"https://www.crowdstrike.com/","name":"crowdstrike.com","description":"Next-Generation Endpoint Protection","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://www.crowdstrike.com/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/#primaryimage","inLanguage":"en-US","url":"https://www.crowdstrike.com/wp-content/uploads/2022/04/Blog_1060x698-11.jpeg","contentUrl":"https://www.crowdstrike.com/wp-content/uploads/2022/04/Blog_1060x698-11.jpeg","width":1060,"height":698},{"@type":"WebPage","@id":"https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/#webpage","url":"https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/","name":"LemonDuck Botnet Targets Docker for Cryptomining Operations | CrowdStrike","isPartOf":{"@id":"https://www.crowdstrike.com/#website"},"primaryImageOfPage":{"@id":"https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/#primaryimage"},"datePublished":"2022-04-21T08:23:55+00:00","dateModified":"2022-04-21T12:37:55+00:00","author":{"@id":"https://www.crowdstrike.com/#/schema/person/f7c66353844b7e1276065f49c51c7a08"},"description":"The CrowdStrike Cloud Threat Research team recently detected the LemonDuck botnet actively targeting Docker to mine cryptocurrency on the Linux platform.","breadcrumb":{"@id":"https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/"]}]},{"@type":"BreadcrumbList","@id":"https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"LemonDuck Targets Docker for Cryptomining Operations"}]},{"@type":"Person","@id":"https://www.crowdstrike.com/#/schema/person/f7c66353844b7e1276065f49c51c7a08","name":"Manoj Ahuje","image":{"@type":"ImageObject","@id":"https://www.crowdstrike.com/#personlogo","inLanguage":"en-US","url":"http://1.gravatar.com/avatar/10917c253c54bcd793b2f99703c1d217?s=96&d=mm&r=g","contentUrl":"http://1.gravatar.com/avatar/10917c253c54bcd793b2f99703c1d217?s=96&d=mm&r=g","caption":"Manoj Ahuje"},"url":"https://www.crowdstrike.com/blog/author/manoj-ahuje/"}]}</script>

<link rel="preload" href="https://www.crowdstrike.com/wp-content/themes/main-theme/dist/scripts/header/megamenu-content.json" as="json"><link rel="preload" href="https://www.crowdstrike.com/wp-content/themes/main-theme/dist/scripts/header/top-nav.json" as="json"><link rel="preload" href="https://www.crowdstrike.com/wp-content/themes/main-theme/dist/data/blog/blog-nav.json" as="json"><style id='global-styles-inline-css' type='text/css'>
body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--duotone--dark-grayscale: url('#wp-duotone-dark-grayscale');--wp--preset--duotone--grayscale: url('#wp-duotone-grayscale');--wp--preset--duotone--purple-yellow: url('#wp-duotone-purple-yellow');--wp--preset--duotone--blue-red: url('#wp-duotone-blue-red');--wp--preset--duotone--midnight: url('#wp-duotone-midnight');--wp--preset--duotone--magenta-yellow: url('#wp-duotone-magenta-yellow');--wp--preset--duotone--purple-green: url('#wp-duotone-purple-green');--wp--preset--duotone--blue-orange: url('#wp-duotone-blue-orange');--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;}
</style>
<link rel='stylesheet' id='single-post.min.css-css' href='https://www.crowdstrike.com/wp-content/themes/main-theme/dist/styles/pages/single-post.min.css?ver=1650391678' type='text/css' media='all' />
<link rel='stylesheet' id='theme-styles-css' href='https://www.crowdstrike.com/wp-content/themes/main-theme/dist/styles/theme-styles.min.css?ver=1650391678' type='text/css' media='screen' />
<link rel='stylesheet' id='tablepress-default-css' href='https://www.crowdstrike.com/wp-content/tablepress-combined.min.css?ver=3' type='text/css' media='all' />
<script type="ed96c40778f29c2367427de9-text/javascript" src='https://www.crowdstrike.com/wp-content/themes/main-theme/dist/scripts/fetch-inject.js?ver=1650391678' id='fetch-inject-js'></script>
<script type="ed96c40778f29c2367427de9-text/javascript" src='https://www.crowdstrike.com/wp-content/themes/main-theme/dist/scripts/components/blog-navigation.min.js?ver=1650391678' id='blog-navigation-js'></script>
<script type="ed96c40778f29c2367427de9-text/javascript" src='https://www.crowdstrike.com/wp-content/themes/main-theme/dist/scripts/components/blog-categories.min.js?ver=1650391678' id='blog-categories-js'></script>
<script type="ed96c40778f29c2367427de9-text/javascript" src='https://www.crowdstrike.com/wp-content/themes/main-theme/dist/scripts/components/blog-category-sidebar.min.js?ver=1650391678' id='blog-category-sidebar-js'></script>
<link rel='shortlink' href='https://www.crowdstrike.com/?p=119388' />
<link rel="icon" href="https://www.crowdstrike.com/wp-content/uploads/2018/09/favicon-96x96.png" sizes="32x32" />
<link rel="icon" href="https://www.crowdstrike.com/wp-content/uploads/2018/09/favicon-96x96.png" sizes="192x192" />
<link rel="apple-touch-icon" href="https://www.crowdstrike.com/wp-content/uploads/2018/09/favicon-96x96.png" />
<meta name="msapplication-TileImage" content="https://www.crowdstrike.com/wp-content/uploads/2018/09/favicon-96x96.png" />
</head>
<body class="post-template-default single single-post postid-119388 single-format-standard lang-en">

<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-5V5LPNC&nojs=1"
height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>

<script type="application/ld+json">
    {
        "@context": "http://schema.org",
        "@type": "Organization",
        "name": "CrowdStrike",
        "url": "http://www.crowdstrike.com",
        "logo": "http://www.crowdstrike.com/wp-content/img/cs_logo.png",
        "sameAs": [
            "http://www.facebook.com/CrowdStrike/",
            "http://www.twitter.com/CrowdStrike/",
            "https://plus.google.com/101967380457820256808/",
            "http://www.linkedin.com/company/crowdstrike",
            "http://www.youtube.com/user/CrowdStrike"
        ]
    }
</script>
<div data-id="wistia_player_embed"></div>
<div id="modal-mask" class="modal_insert_location">
<div class="container">
<div class="row">
<div class="col-lg-12">
<div id="modal-inner-mask" class="modal_mask">
<div class="close_button"><i id="modal-close" class="fa fa-close"></i></div>
<div id="modal-insert" class="modal_content"></div>
</div>
</div>
</div>
</div>
</div><div id="blogNavInsertLocation"></div>
<div class="cs_page_container ">
<div class="search_modal">
<div class="cs_header_container search_modal__section centered">

<input type="text" id="addsearchfield" class="addsearch" disabled="disabled" placeholder="Search" />
<script type="ed96c40778f29c2367427de9-text/javascript" async="async" src="https://addsearch.com/js/?key=7737a29b854de71521b1cd72c4118cfc"></script>
</div>
</div>
<header id="megaMenu" class="cs_main_menu 0">
<div id="headerPromobar"></div>
<nav class="header_top_menu">
<div class="cs_header_container centered">
<div id="megamenu_top_insert" class="menu_inner_section"></div>
</div>
</nav>
<nav class="header_bottom_menu">
<div class="mega_menu">
<div class="cs_header_container centered mega_menu__header">
<div class="header_logo">
<a href="/">
<svg width="173px" height="32px" viewBox="0 0 173 32" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="Homepage" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
<g id="Home" transform="translate(-72.000000, -7240.000000)" fill="#FEFEFE">
<g id="Group-24" transform="translate(72.000000, 7240.000000)">
<g id="Group-7" transform="translate(13.000000, 3.526700)">
<path d="M14.5154,12.2448 L14.5154,11.9378 L11.9154,9.6998 L11.6124,9.6998 C10.8974,10.4898 9.7934,11.0818 8.5584,11.0818 C6.6304,11.0818 5.1134,9.6118 5.1134,7.5938 C5.1134,5.5758 6.6304,4.1058 8.5584,4.1058 C9.7934,4.1058 10.8974,4.6978 11.6124,5.4878 L11.9154,5.4878 L14.5154,3.2498 L14.5154,2.9428 C13.1504,1.2758 11.0064,0.2008 8.5794,0.2008 C4.1174,0.2008 0.7384,3.3598 0.7384,7.5938 C0.7384,7.7578 0.7754,7.9088 0.7864,8.0698 C2.6124,9.3118 4.2244,10.3058 5.6124,11.2158 C7.6134,12.4818 9.2284,13.6468 10.5584,14.7298 C12.2164,14.3108 13.5604,13.4018 14.5154,12.2448 M2.3674,12.1658 C3.4094,13.4458 4.8804,14.3638 6.6154,14.7558 C5.4434,14.0968 4.3084,13.4498 3.2514,12.7338 C2.9414,12.5418 2.6654,12.3558 2.3674,12.1658" id="Fill-1"></path>
<path d="M29.571,14.0437 L28.921,11.2357 L28.683,11.0817 C28.553,11.1477 28.445,11.2357 28.12,11.2357 C27.621,11.2357 27.318,10.7087 27.058,10.2927 C26.625,9.6337 26.278,9.2827 25.975,9.1297 C27.556,8.4277 28.618,7.1117 28.618,5.2247 C28.618,2.3067 26.625,0.4637 22.921,0.4637 L16.465,0.4637 L16.465,14.7237 L20.754,14.7237 L20.754,9.7217 L21.144,9.7217 C22.097,9.7217 23.311,11.7837 23.874,12.7057 C25.044,14.5707 25.975,14.9867 27.643,14.9867 C28.423,14.9867 29.073,14.7017 29.463,14.3507 L29.571,14.0437 Z M24.242,5.4657 C24.242,6.4097 23.549,6.8697 22.747,6.8697 L20.754,6.8697 L20.754,3.9737 L22.747,3.9737 C23.549,3.9737 24.242,4.5007 24.242,5.4657 L24.242,5.4657 Z" id="Fill-3"></path>
<path d="M46.1426,7.5939 C46.1426,3.3599 42.7636,0.2009 38.2796,0.2009 C33.7946,0.2009 30.4156,3.3599 30.4156,7.5939 C30.4156,11.8279 33.7946,14.9869 38.2796,14.9869 C42.7636,14.9869 46.1426,11.8059 46.1426,7.5939 M41.7666,7.5939 C41.7666,9.6339 40.2066,11.0819 38.2796,11.0819 C36.3516,11.0819 34.7916,9.6339 34.7916,7.5939 C34.7916,5.5539 36.3516,4.1059 38.2796,4.1059 C40.2066,4.1059 41.7666,5.5539 41.7666,7.5939" id="Fill-5"></path>
</g>
<polygon id="Fill-8" points="80.6103 3.9906 76.5163 3.9906 73.9813 11.8886 71.2953 3.9906 68.6963 3.9906 66.0313 11.8446 63.4973 3.9906 59.4023 3.9906 59.2073 4.3196 64.4503 18.2506 67.0493 18.2506 69.9953 10.4846 72.9633 18.2506 75.5633 18.2506 80.8053 4.3196"></polygon>
<path d="M96.5105,11.0987 C96.5105,6.8427 93.6725,3.9907 89.0585,3.9907 L82.4945,3.9907 L82.4945,18.2507 L89.0585,18.2507 C93.6725,18.2507 96.5105,15.3987 96.5105,11.0987 M92.1345,11.1207 C92.1345,13.4457 90.7695,14.7407 88.8855,14.7407 L86.7835,14.7407 L86.7835,7.5007 L88.8855,7.5007 C90.7695,7.5007 92.1345,8.7957 92.1345,11.1207" id="Fill-9"></path>
<polygon id="Fill-11" points="119.2316 7.5008 123.5206 7.5008 123.5206 3.9908 110.6536 3.9908 110.6536 7.5008 114.9426 7.5008 114.9426 18.2508 119.2316 18.2508"></polygon>
<path d="M137.233,8.7513 C137.233,5.8333 135.24,3.9903 131.536,3.9903 L125.08,3.9903 L125.08,18.2503 L129.37,18.2503 L129.37,13.2483 L130.388,13.2483 L133.052,18.2503 L137.32,18.2503 L137.515,17.9213 L134.655,12.6343 C136.193,11.9103 137.233,10.6163 137.233,8.7513 M132.857,8.9923 C132.857,9.9363 132.164,10.3963 131.362,10.3963 L129.37,10.3963 L129.37,7.5003 L131.362,7.5003 C132.164,7.5003 132.857,8.0273 132.857,8.9923" id="Fill-12"></path>
<polygon id="Fill-14" points="139.832 18.2507 144.121 18.2507 144.121 3.9907 139.832 3.9907"></polygon>
<polygon id="Fill-15" points="154.9957 10.3747 159.8477 4.3197 159.6527 3.9907 155.0827 3.9907 151.1177 9.0587 151.1177 3.9907 146.8287 3.9907 146.8287 18.2507 151.1177 18.2507 151.1177 13.8627 151.8977 12.9417 155.5377 18.2507 160.0217 18.2507 160.2167 17.9217"></polygon>
<polygon id="Fill-16" points="161.3862 3.9903 161.3862 18.2513 172.1732 18.2513 172.1732 14.7413 165.6742 14.7413 165.6742 12.7663 170.5702 12.7663 170.5702 9.4753 165.6742 9.4753 165.6742 7.5013 172.1092 7.5013 172.1092 3.9903"></polygon>
<g id="Group-23" transform="translate(0.000000, 0.526700)">
<path d="M103.7658,17.8933 C106.9078,17.8933 109.6348,16.3583 109.6348,13.3983 C109.6348,10.1723 106.8858,9.3383 104.4598,8.6363 C103.5058,8.3513 102.5298,8.0213 102.5298,7.3193 C102.5298,6.8143 103.0718,6.5073 103.8958,6.5073 C105.3048,6.5073 106.4958,7.3853 107.1018,7.9563 L107.4048,7.9563 L109.4188,5.5433 L109.4188,5.2363 C108.3578,4.0303 106.1928,3.1093 103.8088,3.1093 C100.4728,3.1093 98.1568,4.9073 98.1568,7.5173 C98.1568,10.3263 100.7108,11.5553 102.8768,12.1693 C104.2858,12.5643 105.2408,12.6303 105.2408,13.3983 C105.2408,13.9473 104.5678,14.2763 103.5268,14.2763 C102.2048,14.2763 100.6028,13.4203 99.8238,12.6523 L99.5208,12.6523 L97.5288,15.1533 L97.5288,15.4603 C98.8058,16.8853 101.1008,17.8933 103.7658,17.8933" id="Fill-17"></path>
<path d="M29.8197,30.9998 C28.7807,28.6218 26.6937,25.5708 18.5177,21.2138 C14.7477,19.1178 8.3067,15.8908 2.5137,9.7578 C3.0387,11.9718 5.7287,16.8368 17.2987,22.9118 C20.5027,24.6648 25.9207,26.3088 29.8197,30.9998" id="Fill-19"></path>
<path d="M29.298,26.9271 C28.312,24.1171 26.532,20.5191 18.091,15.1751 C13.98,12.4811 7.945,9.0981 0,0.4731 C0.568,2.7981 3.078,8.8441 15.73,16.6931 C19.886,19.5091 25.25,21.2461 29.298,26.9271" id="Fill-21"></path>
</g>
</g>
</g>
</g>
</svg> </a>
</div>
<div id="megaSearch" data-id="search" class="search_btn fa-solid fa-magnifying-glass"></div>
<div id="csMobileMenuBtn" class="mobile_menu_btn"><span></span></div>
<div class="mega_menu__content">
<ul id="megamenu_bottom_nav_insert" class="mega_menu__links"></ul>
<div id="megamenu_bottom_nav_content" class="mega_menu__body"></div>
</div>
</div>
</div>
</nav>
</header>
<div class="cs_page_content">
<div class="mobile_nav_section">
<div class="mobile_nav_content">
<div id="megamenu_mobile_main_nav" class="list_items_content"></div>
</div>
</div>
<div class="cs_main_section">
<main class="main">
<article>
<div class="container">
<div class="row">
<div class="col-12 col-lg-8">
<h1>LemonDuck Targets Docker for Cryptomining Operations</h1>
<div class="publish_info">
<p>April 21, 2022</p> <a href="https://www.crowdstrike.com/blog/author/manoj-ahuje/" title="Posts by Manoj Ahuje" rel="author">Manoj Ahuje</a> <a href="https://www.crowdstrike.com/blog/category/from-the-front-lines/" title="From The Front Lines">From The Front Lines</a> </div>
<div class="post_image"><img width="1060" height="698" src="https://www.crowdstrike.com/wp-content/uploads/2022/04/Blog_1060x698-11.jpeg" class="attachment-post-thumbnail size-post-thumbnail wp-post-image" alt="" srcset="https://www.crowdstrike.com/wp-content/uploads/2022/04/Blog_1060x698-11.jpeg 1060w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Blog_1060x698-11-300x198.jpeg 300w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Blog_1060x698-11-1024x674.jpeg 1024w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Blog_1060x698-11-768x506.jpeg 768w" sizes="(max-width: 1060px) 100vw, 1060px" /></div>
<div class="blog_content">
<ul>
<li><span style="font-weight: 400;">LemonDuck, a well-known </span><span style="font-weight: 400;">cryptomining botnet</span><span style="font-weight: 400;">, is targeting Docker to mine cryptocurrency on Linux systems. This campaign is currently active.</span></li>
<li><span style="font-weight: 400;">It runs an anonymous mining operation by the use of proxy pools, which hide the wallet addresses.</span></li>
<li><span style="font-weight: 400;">It evades detection by targeting Alibaba Cloud’s monitoring service and disabling it.</span></li>
<li><span style="font-weight: 400;">CrowdStrike customers are protected from this threat with the Falcon Cloud Workload Protection module. </span></li>
</ul>
<h2><span style="font-weight: 400;">Summary</span></h2>
<p><span style="font-weight: 400;">The recent cryptocurrency boom has driven crypto prices through the roof in the last couple of years. As a result, cryptomining activities have increased significantly as attackers are looking to get immediate monetary compensation. According to the </span><a href="https://securityonline.info/86-of-the-compromised-google-cloud-instances-were-used-to-perform-cryptocurrency-mining/"><span style="font-weight: 400;">Google Threat Horizon report</span></a><span style="font-weight: 400;"> published Nov. 29, 2021, 86% of compromised Google Cloud instances were used to perform cryptocurrency mining.</span></p>
<p><span style="font-weight: 400;">The CrowdStrike Cloud Threat Research team detected </span><a href="https://www.bleepingcomputer.com/news/security/microsoft-exchange-exploits-now-used-by-cryptomining-malware/"><span style="font-weight: 400;">LemonDuck</span></a><span style="font-weight: 400;"> targeting </span><a href="https://docs.docker.com/engine/api/"><span style="font-weight: 400;">Docker</span></a><span style="font-weight: 400;"> to mine cryptocurrency on the Linux platform. This campaign is currently active. </span></p>
<p><span style="font-weight: 400;">LemonDuck is a well-known cryptomining botnet involved in targeting Microsoft Exchange servers via </span><a href="https://proxylogon.com/"><span style="font-weight: 400;">ProxyLogon</span></a><span style="font-weight: 400;"> and the use of </span><a href="https://en.wikipedia.org/wiki/EternalBlue"><span style="font-weight: 400;">EternalBlue</span></a><span style="font-weight: 400;">, </span><a href="https://en.wikipedia.org/wiki/BlueKeep"><span style="font-weight: 400;">BlueKeep</span></a><span style="font-weight: 400;">, etc. to mine cryptocurrency, escalate privileges and move laterally in compromised networks. This botnet tries to monetize its efforts via various simultaneous active campaigns to mine cryptocurrency like </span><a href="https://www.getmonero.org/"><span style="font-weight: 400;">Monero</span></a><span style="font-weight: 400;">.</span></p>
<h2><span style="font-weight: 400;">What Is the Exposed Docker API?</span></h2>
<p><a href="https://www.docker.com/"><span style="font-weight: 400;">Docker</span></a><span style="font-weight: 400;"> is the platform for building, running and managing containerized workloads. Docker provides a number of APIs to help developers with automation, and these APIs can be made available using local </span><a href="https://man7.org/linux/man-pages/man2/socket.2.html"><span style="font-weight: 400;">Linux sockets</span></a><span style="font-weight: 400;"> or daemons (the default port is 2375).</span></p>
<p><span style="font-weight: 400;">Since Docker is primarily used to run container workloads in the cloud, a misconfigured cloud instance can expose a Docker API to the internet. Then an attacker can exploit this API to run a cryptocurrency miner inside an attacker-controlled container. Additionally, an attacker can escape a running container by abusing privileges and misconfigurations, but also by exploiting multiple vulnerabilities found in the container runtime like </span><a href="https://www.docker.com/"><span style="font-weight: 400;">Docker</span></a><span style="font-weight: 400;">, </span><a href="https://containerd.io/"><span style="font-weight: 400;">Containerd</span></a><span style="font-weight: 400;"> and </span><a href="https://cri-o.io/"><span style="font-weight: 400;">CRI-O</span></a><span style="font-weight: 400;">.</span></p>
<p><a href="https://www.crowdstrike.com/blog/cr8escape-new-vulnerability-discovered-in-cri-o-container-engine-cve-2022-0811/"><span style="font-weight: 400;">Cr8escape</span></a><span style="font-weight: 400;"> is an example of one such vulnerability discovered by CrowdStrike in container runtime </span><a href="https://cri-o.io/"><span style="font-weight: 400;">CRI-O</span></a><span style="font-weight: 400;">.</span></p>
<h2><span style="font-weight: 400;">Initial Compromise via Docker</span></h2>
<p><span style="font-weight: 400;">LemonDuck targets exposed Docker APIs to get initial access. It runs a malicious container on an exposed Docker API by using a custom Docker ENTRYPOINT to download a “core.png” image file that is disguised as Bash script. In Figure 1, you can see the initial malicious entrypoint.</span></p>
<div id="attachment_119402" style="width: 560px" class="wp-caption alignnone"><img aria-describedby="caption-attachment-119402" loading="lazy" class="wp-image-119402" src="https://www.crowdstrike.com/wp-content/uploads/2022/04/Screen-Shot-2022-04-20-at-9.02.13-AM.png" alt="" width="550" height="44" srcset="https://www.crowdstrike.com/wp-content/uploads/2022/04/Screen-Shot-2022-04-20-at-9.02.13-AM.png 1452w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Screen-Shot-2022-04-20-at-9.02.13-AM-300x24.png 300w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Screen-Shot-2022-04-20-at-9.02.13-AM-1024x82.png 1024w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Screen-Shot-2022-04-20-at-9.02.13-AM-768x61.png 768w" sizes="(max-width: 550px) 100vw, 550px" /><p id="caption-attachment-119402" class="wp-caption-text">Figure 1. Malicious entrypoint downloading disguised Bash file as an image</p></div>
<p><span style="font-weight: 400;">The file “core.png” was downloaded from a domain </span><code><span style="font-weight: 400;">t.m7n0y[.]com</span></code><span style="font-weight: 400;">, which is associated with LemonDuck. By further analyzing this domain, CrowdStrike found multiple campaigns being operated via the domain targeting Windows and Linux platforms simultaneously.</span></p>
<p><span style="font-weight: 400;">As shown in Figure 2, the domain has a self-signed certificate installed, generated in May 2021 with expiration in May 2022. It further indicates that this domain is currently being used.</span></p>
<div id="attachment_119392" style="width: 635px" class="wp-caption alignnone"><img aria-describedby="caption-attachment-119392" loading="lazy" class="wp-image-119392" src="https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-7.png" alt="" width="625" height="444" srcset="https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-7.png 1827w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-7-300x213.png 300w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-7-1024x727.png 1024w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-7-768x545.png 768w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-7-1536x1090.png 1536w" sizes="(max-width: 625px) 100vw, 625px" /><p id="caption-attachment-119392" class="wp-caption-text">Figure 2. LemonDuck domain certificate</p></div>
<p><span style="font-weight: 400;">The unique certificate signatures lead investigation to other domains that are actively used by this actor to potentially identify other command and control (C2) used in this campaign. As shown in Figure 3, investigation found a few domains that were using the same certificate at the moment. But we did not find a “core.png” file being distributed by other related domains at the time of this writing. As shown in Figure 4, historical data collected by CrowdStrike suggests “core.png” was distributed on multiple domains used by this actor in the past.</span></p>
<div id="attachment_119404" style="width: 210px" class="wp-caption alignnone"><img aria-describedby="caption-attachment-119404" loading="lazy" class="wp-image-119404" src="https://www.crowdstrike.com/wp-content/uploads/2022/04/Screen-Shot-2022-04-20-at-9.04.16-AM.png" alt="" width="200" height="57" srcset="https://www.crowdstrike.com/wp-content/uploads/2022/04/Screen-Shot-2022-04-20-at-9.04.16-AM.png 536w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Screen-Shot-2022-04-20-at-9.04.16-AM-300x86.png 300w" sizes="(max-width: 200px) 100vw, 200px" /><p id="caption-attachment-119404" class="wp-caption-text">Figure 3. Domain sharing the same Certificate</p></div>
<div id="attachment_119393" style="width: 3068px" class="wp-caption alignnone"><img aria-describedby="caption-attachment-119393" loading="lazy" class="size-full wp-image-119393" src="https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-8.png" alt="" width="3058" height="743" srcset="https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-8.png 3058w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-8-300x73.png 300w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-8-1024x249.png 1024w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-8-768x187.png 768w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-8-1536x373.png 1536w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-8-2048x498.png 2048w" sizes="(max-width: 3058px) 100vw, 3058px" /><p id="caption-attachment-119393" class="wp-caption-text">Figure 4. Core.png like files being distributed in the past</p></div>
<p><span style="font-weight: 400;">Attackers usually run a single campaign from a single C2 server, but interestingly, on multiple C2 used by LemonDuck, there are multiple campaigns running that target Windows as well as the Linux platform. Figure 5 shows various dropper files used in multiple campaigns.</span></p>
<div id="attachment_119415" style="width: 1326px" class="wp-caption alignnone"><img aria-describedby="caption-attachment-119415" loading="lazy" class="wp-image-119415 size-full" src="https://www.crowdstrike.com/wp-content/uploads/2022/04/Screen-Shot-2022-04-20-at-9.23.52-AM.png" alt="" width="1316" height="1476" srcset="https://www.crowdstrike.com/wp-content/uploads/2022/04/Screen-Shot-2022-04-20-at-9.23.52-AM.png 1316w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Screen-Shot-2022-04-20-at-9.23.52-AM-267x300.png 267w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Screen-Shot-2022-04-20-at-9.23.52-AM-913x1024.png 913w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Screen-Shot-2022-04-20-at-9.23.52-AM-768x861.png 768w" sizes="(max-width: 1316px) 100vw, 1316px" /><p id="caption-attachment-119415" class="wp-caption-text">Figure 5. Dropper files used in multiple campaigns targeting Windows and Linux</p></div>
<h2><span style="font-weight: 400;">Disguised Scripts to Set Up a Miner</span></h2>
<p><span style="font-weight: 400;">As shown in Figure 6, the “core.png&#8221; file acts as a pivot by setting a Linux cronjob inside the container. Next, this cronjob downloads another disguised file “a.asp,&#8221; which is actually a Bash file.</span></p>
<div id="attachment_119394" style="width: 2778px" class="wp-caption alignnone"><img aria-describedby="caption-attachment-119394" loading="lazy" class="size-full wp-image-119394" src="https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-9.png" alt="" width="2768" height="895" srcset="https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-9.png 2768w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-9-300x97.png 300w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-9-1024x331.png 1024w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-9-768x248.png 768w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-9-1536x497.png 1536w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-9-2048x662.png 2048w" sizes="(max-width: 2768px) 100vw, 2768px" /><p id="caption-attachment-119394" class="wp-caption-text">Figure 6. Core.png adds cronjob to download a.asp</p></div>
<p><span style="font-weight: 400;">The “a.asp&#8221; file is the actual payload in this attack. It takes several steps before downloading and starting a mining operation once it is triggered by a cronjob, as follows.</span></p>
<ul>
<li aria-level="1"><b>Kills processes based on names. </b>Kills the number of processes based on names of known mining pools, competing cryptomining groups, etc.</li>
<li aria-level="1"><b>Kills known daemons. </b>Daemons like crond, sshd and syslog are killed by grabbing daemon process ids.</li>
<li aria-level="1"><b>Deletes known indicator of compromise (IOC) file paths. </b>The known IOC file paths of competing cryptomining groups are deleted to disrupt any existing operation.</li>
<li aria-level="1"><b>Kills known network connections. </b>Connections that are ESTABLISHED or in progress (SYN_SENT) to known C2 of competing cryptomining groups are killed.</li>
</ul>
<h3>Disables Alibaba Cloud Defense</h3>
<p><a href="https://www.alibabacloud.com/help/en/cloudmonitor"><span style="font-weight: 400;">Alibaba Cloud’s monitoring service</span></a><span style="font-weight: 400;"> monitors cloud instances for malicious activities once the agent is installed on a host or container. LemonDuck’s “a.asp” file has the capability to disable aliyun service in order to evade detection by the cloud provider, as shown in Figure 7.</span></p>
<div id="attachment_119395" style="width: 2547px" class="wp-caption alignnone"><img aria-describedby="caption-attachment-119395" loading="lazy" class="size-full wp-image-119395" src="https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-10.png" alt="" width="2537" height="1031" srcset="https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-10.png 2537w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-10-300x122.png 300w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-10-1024x416.png 1024w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-10-768x312.png 768w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-10-1536x624.png 1536w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-10-2048x832.png 2048w" sizes="(max-width: 2537px) 100vw, 2537px" /><p id="caption-attachment-119395" class="wp-caption-text">Figure 7. Disable Cloud monitoring service</p></div>
<h3><b>Cryptominer Startup and Use of Proxy Pools</b></h3>
<p><span style="font-weight: 400;">As a final step, LemonDuck’s “a.asp&#8221; file downloads and runs XMRig as “xr” file that mines the cryptocurrency as shown in Figure 8. Further, Figure 9 shows the version of XMRig being used in mining (version 6.14.0 released in August 2021). The config file used by XMRig indicates the use of a </span><a href="https://github.com/xmrig/xmrig-proxy"><span style="font-weight: 400;">cryptomining proxy pool</span></a><span style="font-weight: 400;">. Proxy pools help in hiding the actual crypto wallet address where the contributions are made by current mining activity. You can see the pool address in Figure 9.</span></p>
<div id="attachment_119396" style="width: 2782px" class="wp-caption alignnone"><img aria-describedby="caption-attachment-119396" loading="lazy" class="size-full wp-image-119396" src="https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-11.png" alt="" width="2772" height="854" srcset="https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-11.png 2772w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-11-300x92.png 300w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-11-1024x315.png 1024w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-11-768x237.png 768w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-11-1536x473.png 1536w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-11-2048x631.png 2048w" sizes="(max-width: 2772px) 100vw, 2772px" /><p id="caption-attachment-119396" class="wp-caption-text">Figure 8. Binary named “xr” running as a mining process</p></div>
<div id="attachment_119397" style="width: 2510px" class="wp-caption alignnone"><img aria-describedby="caption-attachment-119397" loading="lazy" class="size-full wp-image-119397" src="https://www.crowdstrike.com/wp-content/uploads/2022/04/Untitled-1.jpg" alt="" width="2500" height="1238" srcset="https://www.crowdstrike.com/wp-content/uploads/2022/04/Untitled-1.jpg 2500w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Untitled-1-300x149.jpg 300w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Untitled-1-1024x507.jpg 1024w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Untitled-1-768x380.jpg 768w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Untitled-1-1536x761.jpg 1536w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Untitled-1-2048x1014.jpg 2048w" sizes="(max-width: 2500px) 100vw, 2500px" /><p id="caption-attachment-119397" class="wp-caption-text">Figure 9. XMRig version in use and pool address</p></div>
<h3><b>Lateral Movement via SSH</b></h3>
<p><span style="font-weight: 400;">Rather than mass scanning the public IP ranges for exploitable attack surface, LemonDuck tries to move laterally by searching for SSH keys on filesystem. This is one of the reasons this campaign was not evident as other mining campaigns run by other groups. Once SSH keys are found, the attacker uses those to log in to the servers and run the malicious scripts as discussed earlier. Figure 10 shows the search for SSH keys on the filesystem.</span></p>
<div id="attachment_119398" style="width: 3534px" class="wp-caption alignnone"><img aria-describedby="caption-attachment-119398" loading="lazy" class="size-full wp-image-119398" src="https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-12.png" alt="" width="3524" height="762" srcset="https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-12.png 3524w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-12-300x65.png 300w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-12-1024x221.png 1024w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-12-768x166.png 768w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-12-1536x332.png 1536w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-12-2048x443.png 2048w" sizes="(max-width: 3524px) 100vw, 3524px" /><p id="caption-attachment-119398" class="wp-caption-text">Figure 10. Key search</p></div>
<h2><span style="font-weight: 400;">CrowdStrike Detection</span></h2>
<p><span style="font-weight: 400;">The CrowdStrike Falcon<sup>®</sup> platform protects its customers with its runtime protection and cloud machine learning models from any post-exploitation activities. As shown in Figure 11, a malicious mining process was killed by the CrowdStrike machine learning model. Figure 12 additionally shows the origin of the process and container information using CrowdStrike Threat Graph<sup>®</sup>.</span></p>
<div id="attachment_119399" style="width: 2078px" class="wp-caption alignnone"><img aria-describedby="caption-attachment-119399" loading="lazy" class="size-full wp-image-119399" src="https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-13.png" alt="" width="2068" height="935" srcset="https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-13.png 2068w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-13-300x136.png 300w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-13-1024x463.png 1024w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-13-768x347.png 768w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-13-1536x694.png 1536w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-13-2048x926.png 2048w" sizes="(max-width: 2068px) 100vw, 2068px" /><p id="caption-attachment-119399" class="wp-caption-text">Figure 11. CrowdStrike cloud-based machine learning killing a malicious container process</p></div>
<div id="attachment_119400" style="width: 2080px" class="wp-caption alignnone"><img aria-describedby="caption-attachment-119400" loading="lazy" class="size-full wp-image-119400" src="https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-14.png" alt="" width="2070" height="1141" srcset="https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-14.png 2070w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-14-300x165.png 300w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-14-1024x564.png 1024w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-14-768x423.png 768w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-14-1536x847.png 1536w, https://www.crowdstrike.com/wp-content/uploads/2022/04/Picture1-14-2048x1129.png 2048w" sizes="(max-width: 2070px) 100vw, 2070px" /><p id="caption-attachment-119400" class="wp-caption-text">Figure 12. CrowdStrike Threat Graph for the malicious process</p></div>
<h2><span style="font-weight: 400;">Conclusion</span></h2>
<p><span style="font-weight: 400;">Due to the cryptocurrency boom in recent years, combined with cloud and container adoption in enterprises, cryptomining is proven to be a monetarily attractive option for attackers. Since cloud and container ecosystems heavily use Linux, it drew the attention of the operators of botnets like LemonDuck, which started targeting Docker for cryptomining on the Linux platform.</span></p>
<p><span style="font-weight: 400;">As you can see in this attack, LemonDuck utilized some part of its vast C2 operation to target Linux and Docker in addition to its Windows campaigns. It utilized techniques to evade defenses not only by using disguised files and by killing monitoring daemon, but also by disabling Alibaba Cloud’s monitoring service.</span></p>
<p><span style="font-weight: 400;">At CrowdStrike, we expect such kinds of campaigns by large </span><a href="https://www.crowdstrike.com/cybersecurity-101/botnets/"><span style="font-weight: 400;">botnet</span></a><span style="font-weight: 400;"> operators to increase as cloud adoption continues to grow.</span></p>
<p><a href="https://www.crowdstrike.com/cybersecurity-101/cloud-security/container-security/"><span style="font-weight: 400;">Securing containers</span></a><span style="font-weight: 400;"> need not be an overly complex task. Using the Falcon platform, you can easily identify security issues in your environment in real time. You can use built-in features of Kubernetes and best practices to keep your container environment safe. For enhanced security, you can use integrated container security products such as </span><a href="https://www.crowdstrike.com/cloud-security-products/falcon-cloud-workload-protection/"><span style="font-weight: 400;">CrowdStrike Falcon Cloud Workload Protection</span></a><span style="font-weight: 400;"> that can protect your Kubernetes environment seamlessly.  </span></p>
<p><span style="font-weight: 400;">CrowdStrike strives to support organizations that allow their users to stay ahead of the curve and remain fully protected from adversaries and breaches.</span></p>
<h4><span style="font-weight: 400;">Additional Resources</span></h4>
<ul>
<li><em><span style="font-weight: 400;">Learn how you can </span><a href="https://www.crowdstrike.com/cloud-security-products/"><span style="font-weight: 400;">stop cloud breaches with CrowdStrike</span></a><span style="font-weight: 400;"> unified cloud security posture management and breach prevention for multi-cloud and hybrid environments — all in one lightweight platform.</span></em></li>
<li><em><span style="font-weight: 400;">Learn more about how </span><a href="https://www.crowdstrike.com/cloud-security-products/falcon-cloud-workload-protection/"><span style="font-weight: 400;">Falcon Cloud Workload Protection</span></a><span style="font-weight: 400;"> enables organizations to build, run and secure cloud-native applications with speed and confidence</span></em></li>
<li><em><span style="font-weight: 400;">See if a managed solution is right for you. Find out about </span><a href="https://www.crowdstrike.com/products/cloud-security/falcon-cloud-workload-protection-complete/"><span style="font-weight: 400;">Falcon Cloud Workload Protection Complete: Managed Detection and Response for Cloud Workloads</span></a><span style="font-weight: 400;">.</span></em></li>
</ul>
</div>
<style>
    .list-share-buttons{
        margin-bottom: 40px;
        margin-left: auto;
    }

    .share-button {
        float: left;
        color: #999;
        border: 1px solid #e4e4e4;
        text-align: center;
        transition: all 0.15s ease;
        margin-right: 5px;
        margin-bottom: 40px;
        margin-left: auto;
        font-size: 13px;
        padding: 0.5em 0.9em;
    }

    .tweet-btn{
        color: #999999;
    }
    .li-btn{
        color: #999999;
    }
    .tweet-btn:hover{
        color: #1DA1F2;
    }

    .li-btn:hover{
        color: #2867B2;
    }

    .fa{
        margin-right:5px;
    }

</style>
<div>
<ul class="list-share-buttons">

<li class="share-button">
<a class="tweet-btn " target="_blank" rel="noopener noreferrer" href="https://twitter.com/share?text=LemonDuck+Targets+Docker+for+Cryptomining+Operations&amp;url=https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/" onclick="if (!window.__cfRLUnblockHandlers) return false; window.open(this.href, '_blank', 'menubar=no,toolbar=no,resizable=yes,scrollbars=yes,height=600,width=600');" data-cf-modified-ed96c40778f29c2367427de9-="">
<span class="fa-brands fa-twitter"></span>
<span>Tweet</span>
</a>
</li>

<li class="share-button">
<a class="li-btn" target="_blank" rel="noopener noreferrer" href="https://www.linkedin.com/shareArticle?mini=true&amp;url=https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/&amp;title=LemonDuck+Targets+Docker+for+Cryptomining+Operations" onclick="if (!window.__cfRLUnblockHandlers) return false; window.open(this.href, '_blank', 'menubar=no,toolbar=no,resizable=yes,scrollbars=yes,height=600,width=600');" data-cf-modified-ed96c40778f29c2367427de9-="">
<span class="fa-brands fa-linkedin"></span>
<span>Share</span>
</a>
</li>
</ul>
</div>
<a href="https://go.crowdstrike.com/try-falcon-prevent.html">
<img class="post_cta" src="https://www.crowdstrike.com/wp-content/themes/main-theme/dist/images/blog/breaches-stop-here-post-cta.jpeg">
</a>
<h5>Related Content</h5>
<div class="row recent_articles">
<a class="col-12 col-md-4 recent_articles_item" href="/blog/crowdstrike-services-identifies-logging-inconsistencies-in-microsoft-365/">
<div class="post_image">
<img src="https://www.crowdstrike.com/wp-content/uploads/2022/03/Blog_1060x698-9.jpeg" alt="">
</div>
<div class="post_info">
<h6>Cloudy with a Chance of Unclear Mailbox Sync: CrowdStrike Services Identifies Logging Inconsistencies in Microsoft 365</h6>
<div class="excerpt"></div>
</div>
</a>
<a class="col-12 col-md-4 recent_articles_item" href="/blog/falcon-overwatch-contributes-to-blackcat-protection/">
<div class="post_image">
<img src="https://www.crowdstrike.com/wp-content/uploads/2022/03/Blog_1060x698-7.jpeg" alt="">
</div>
<div class="post_info">
<h6>Falcon OverWatch Threat Hunting Contributes to Seamless Protection Against Novel BlackCat Attack</h6>
<div class="excerpt"></div>
</div>
</a>
<a class="col-12 col-md-4 recent_articles_item" href="/blog/falcon-overwatch-uncovers-ongoing-night-spider-zloader-campaign/">
<div class="post_image">
<img src="https://www.crowdstrike.com/wp-content/uploads/2022/03/0322_04_Overwatch_NIGHT-SPIDER_Blog_1060x698.jpeg" alt="">
</div>
<div class="post_info">
<h6>Falcon OverWatch Threat Hunting Uncovers Ongoing NIGHT SPIDER Zloader Campaign</h6>
<div class="excerpt"></div>
</div>
</a>
</div>
</div>
<div class="col-12 col-lg-4 sidebar">
<div class="blog_subsection">
<div class="blog_section_subtitle">
<div class="title">Categories</div>
</div>
</div>
<div class="blog_featured_category_list" id="blog_category_sidebar_item"></div>
<div class="social">
<h6>Connect with Us</h6>
<div class="social_icons">
<a href="https://www.twitter.com/CrowdStrike"><span class="fa-brands fa-twitter"></span></a>
<a href="https://www.facebook.com/CrowdStrike"><span class="fa-brands fa-facebook"></span></a>
<a href="https://www.linkedin.com/company/crowdstrike"><span class="fa-brands fa-linkedin"></span></a>
<a href="https://www.youtube.com/user/CrowdStrike"><span class="fa-brands fa-youtube"></span></a>
<a href="https://www.crowdstrike.com/blog/feed"><span class="fa fa-rss"></span></a>
</div>
</div>
<a class="free_trial_sidebar" href="https://www.crowdstrike.com/resources/reports/forrester-wave-endpoint-detection-and-response-2022/">
<img src="https://www.crowdstrike.com/wp-content/uploads/2021/07/Sidebar_EPP_ForresterWave_EDR.jpeg">
</a>
<div id="sideBarFeaturedArticles"></div>
<div class="subscribe_cta">
<h6>SUBSCRIBE</h6>
<p>Sign up now to receive the latest notifications and updates from CrowdStrike.</p>
<a class="button white-text white-outline white-text-hover dark-red-background-hover dark-red-outline-hover" data-behavior="modal" data-template-id="modal-42284" href="#">Sign Up</a>
</div>
<div class="demo_cta">
<img src="https://www.crowdstrike.com/wp-content/uploads/2021/07/red-falcon.svg">
<h6>See CrowdStrike Falcon in Action</h6>
<p>Detect, prevent, and respond to attacks— even malware-free intrusions—at any stage, with next-generation endpoint protection.</p>
<a class="button white-text red-background red-outline white-text-hover dark-red-background-hover dark-red-outline-hover" href="https://www.crowdstrike.com/see-demo/">See Demo</a>
</div>
</div>
</div>
<div class="post_nav row">
<div class="col-12">
<div class="links"><span class="fa fa-angle-double-left"></span> <a href="https://www.crowdstrike.com/blog/crowdstrike-falcon-spotlight-fuses-endpoint-data-with-cisa-exploited-vulnerabilities-catalog/" rel="prev">CrowdStrike Falcon Spotlight Fuses Endpoint Data with CISA&#8217;s Known Exploited Vulnerabilities Catalog</a></div>
<div class="links"></div>
</div>
</div>
</div>
</article>
<section id="freeTrialCta" class="blog-free-trial-cta">
<div class="container">
<div class="row">
<div class="col-12">
<div class="content">
<h1 class="free-trial-header">TRY CROWDSTRIKE FREE FOR 15 DAYS</h1>
<a class="button white-text red-background red-outline white-text-hover dark-red-background-hover dark-red-outline-hover" id="freeTrialOpenTrigger" href="#">GET STARTED WITH A FREE TRIAL</a>
</div>
</div>
</div>
</div>
<div id="freeTrialContent" class="free-trial-content-wrapper unstuck" style="display: none;">
<div class="container">
<p class="free-trial-close textright white"><a class="free-trial-close-trigger red" id="freeTrialCloseTrigger">X</a></p>
</div>
<div class="container free-trial-iframe-wrapper">
<iframe id="footer-form-frame" height="490" width="800" src="https://go.crowdstrike.com/WF-Trial-to-Pay_LP-Registration-Footer.html" class=""></iframe>
</div>
</div>
</section>
<script type="ed96c40778f29c2367427de9-text/javascript">
    fetchInject([
        'https://www.crowdstrike.com/wp-content/themes/main-theme/dist/scripts/pages/blog.min.js?ts=1650545820000',
    ])
</script> </main>
<footer class="simple">
<div class="container">
<div class="row">
<div class="col-md-12 top">
<span class="footer-logo"><a class="red" href="https://www.crowdstrike.com"><i class="cs-icon-cs-logo"> </i></a></span>
<ul class="row social-links">
<li class="circle-icon-outline">
<a href="https://twitter.com/CrowdStrike" target="_blank"><i class="fa-brands fa-twitter"></i></a></li>
<li class="circle-icon-outline">
<a href="https://www.facebook.com/CrowdStrike/" target="_blank"><i class="fa-brands fa-facebook"></i></a>
</li>
<li class="circle-icon-outline">
<a href="https://www.linkedin.com/company/crowdstrike" target="_blank"><i class="fa-brands fa-linkedin"></i></a>
</li>
<li class="circle-icon-outline">
<a href="http://www.youtube.com/user/CrowdStrike" target="_blank"><i class="fa-brands fa-youtube"></i></a>
</li>
</ul>
</div>
<div class="col-md-12 bottom">
<ul class="row footer-lower-links">
<li class="footer-copyright">Copyright © 2022 CrowdStrike</li>
<li><a href="https://www.crowdstrike.com/privacy-notice/">Privacy</a></li>
<li><a href="https://www.crowdstrike.com/request-information/">Request Info</a></li>
<li><a href="https://www.crowdstrike.com/blog">Blog</a></li>
<li><a href="https://www.crowdstrike.com/contact-us/">Contact Us</a></li>
<li>1.888.512.8906</li>
</ul>
</div>
</div>
</div>
</footer>
</div>
</div>
</div>
<script type="ed96c40778f29c2367427de9-text/javascript" async="async" src='https://www.crowdstrike.com/wp-content/themes/main-theme/dist/scripts/theme-scripts.min.js?ver=1650391678' id='theme-scripts-js'></script>
<script src="/cdn-cgi/scripts/7d0fa10a/cloudflare-static/rocket-loader.min.js" data-cf-settings="ed96c40778f29c2367427de9-|49" defer=""></script></body>
</html>